General

  • Target

    9d4b9c3b9efd2291555a14c9b0527fc83c1291d426e7be13c04ddb3a656bba71

  • Size

    1.3MB

  • Sample

    231110-3np7waad51

  • MD5

    d865b213268599bb70f575a2711f6a4d

  • SHA1

    b4786a5d2c0634c0217b535f5b38e3089584c1d6

  • SHA256

    9d4b9c3b9efd2291555a14c9b0527fc83c1291d426e7be13c04ddb3a656bba71

  • SHA512

    3ff8ff558599e2da9ea008088f14822402c91f460fdd3ea6b0151982cff0c252ea1794b0d6598d762be089d43c370a47f6001980158a8f8d4ef75989b5992a2d

  • SSDEEP

    24576:yyOYBaKaeHIsZCgGMOkDPKKXksxPw4LB1tt32aHmqseGfhIQ/pvj/zTUVyJ:ZOYBYeoIjGAfdxI0BjkCvsPfHRvj/0

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      9d4b9c3b9efd2291555a14c9b0527fc83c1291d426e7be13c04ddb3a656bba71

    • Size

      1.3MB

    • MD5

      d865b213268599bb70f575a2711f6a4d

    • SHA1

      b4786a5d2c0634c0217b535f5b38e3089584c1d6

    • SHA256

      9d4b9c3b9efd2291555a14c9b0527fc83c1291d426e7be13c04ddb3a656bba71

    • SHA512

      3ff8ff558599e2da9ea008088f14822402c91f460fdd3ea6b0151982cff0c252ea1794b0d6598d762be089d43c370a47f6001980158a8f8d4ef75989b5992a2d

    • SSDEEP

      24576:yyOYBaKaeHIsZCgGMOkDPKKXksxPw4LB1tt32aHmqseGfhIQ/pvj/zTUVyJ:ZOYBYeoIjGAfdxI0BjkCvsPfHRvj/0

    • Detect Mystic stealer payload

    • Detected google phishing page

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks